Problem
After installing and configuring AWS CLI, you receive the following error when executing:
aws s3 ls --endpoint-url https://s3.objstor.cloud4u.com:443/Error:
SSL validation failed for https://s3.objstor.cloud4u.com:443/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1032)
Cause
AWS CLI cannot verify the SSL certificate provided by s3.objstor.cloud4u.com because the Certificate Authority (CA) certificate is not included in the standard trusted root certificates bundle used by AWS CLI.
Solution
First, download the CA Bundle (objstor-cloud4u-ca-bundle.crt) containing the root and intermediate certificates and place it on your server.
Method 1: Add Certificate to Environment Variables (Recommended)
This method configures AWS CLI and other libraries (like python-requests) to use the specified certificate bundle persistently.
Linux / macOS:
Add the following line to your shell initialization file (e.g., ~/.bashrc, ~/.zshrc):
export AWS_CA_BUNDLE="/path/to/objstor-cloud4u-ca-bundle.crt"Apply the changes:
source ~/.bashrcWindows:
Execute in Command Prompt:
setx AWS_CA_BUNDLE "C:\path\to\objstor-cloud4u-ca-bundle.crt"Restart your console for changes to take effect.
Method 2: Specify Certificate Directly in AWS CLI Command
Suitable for one-time command execution.
Linux / macOS:
aws s3 ls --endpoint-url https://s3.objstor.cloud4u.com:443/ --ca-bundle "/path/to/objstor-cloud4u-ca-bundle.crt"Windows:
aws s3 ls --endpoint-url https://s3.objstor.cloud4u.com:443/ --ca-bundle "C:\path\to\objstor-cloud4u-ca-bundle.crt"Method 3: Disable SSL Certificate Verification (NOT RECOMMENDED)
Only use this method for testing purposes in secure, isolated environments.
aws s3api list-buckets --endpoint-url https://s3.objstor.cloud4u.com:443/ --no-verify-sslSecurity Notice
-
Methods 1 & 2 are secure and recommended for production use
-
Method 3 disables certificate validation entirely, exposing you to potential man-in-the-middle attacks
-
Always verify the authenticity of the CA bundle before implementation
Have you tried Cloud4U services? Not yet?
